Bug 3000 - Redirect of ProxyCommands' stderr to /dev/null hides useful information
Summary: Redirect of ProxyCommands' stderr to /dev/null hides useful information
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 8.0p1
Hardware: amd64 Linux
: P5 minor
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-30 00:31 AEST by Jérémie Roquet
Modified: 2019-04-30 00:31 AEST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jérémie Roquet 2019-04-30 00:31:46 AEST 
Hi,

8.0p1 introduces that change (from the release notes¹):

 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
   started with ControlPersist; prevents random ProxyCommand output
   from interfering with session output.

I'm sure there are very good reasons to do that, however it has the annoying side effect of hiding information that may otherwise be useful.

Having updated yesterday, I've been missing two things already:
 - the output generated by SSH's own VisualHostKey, which is printed to stderr;
 - the instructions sent on stderr by some SSH bastion I've no control over, about how to use its proprietary 2FA (namely RSA SecurID).

I could probably live without the former (that's just a handy visual clue I'm accustomed to), but I'm kind of lost without the latter, because there's nothing standard in how that bastion expects me to reply to the password prompt.

I can see plenty of other cases where stderr could be important for ProxyCommands, starting with actual error messages one would expect to find here.

Is there some subtlety I've missed here? Or any way to prevent stderr from being hidden? I guess I could redirect it to stdout right in the ProxyCommand, but that seems a bit “hacky”…

Thanks!

¹ https://www.openssh.com/releasenotes.html